Although many privacy class actions have been filed in Canada over the last few years, the vast majority settle rather than being decided on the merits. That makes the recent Ari v Insurance Corporation of British Columbia, 2022 BCSC 1475 (Ari) summary trial decision all the more interesting as one of the first merits decisions. The Court considered privacy rights in the context of a statutory tort of privacy along with the broader implications for businesses as a result of unauthorized employee access to customers’ personal information.
- Summary trials, which can often be heard sooner and more cost-effectively than conventional trials, can be used in class actions to determine some or all common issues. Like ICBC in Ari, defendants in class actions may face summary trial applications by plaintiffs and be required to marshal their case in response at an earlier stage. Defendants should also consider whether a summary trial will advance their litigation goals by, for instance, determining liability in their favour at an early stage.
- Organizations will need to be careful about who they notify of a breach and the wording of that notification. Once an organization has notified affected individuals that their information was improperly accessed, it may be found to have effectively admitted a breach in respect of all of the individuals notified and not be able to force them to prove the breach in a subsequent lawsuit. This means that organizations must carefully consider, at an early stage, how to meet their statutory notification requirements without unduly broadening the pool of individuals who may eventually make up the class.
- When setting internal policies that limit how employees can use customers’ personal information, organizations should also consider and establish monitoring and enforcement mechanisms to prevent or detect misuse. Otherwise, they may be found to have created a foreseeable risk for privacy breaches at the hand of their employees and, as a result, be vicariously liable. In finding vicarious liability, an employer’s vicarious liability is a strict liability that does not depend on the fault of the employer.
- Organizations should also ensure they respect their privacy obligations and discipline employees who breach internal privacy policies. Otherwise, there is a risk of punitive damages.
The Insurance Corporation of British Columbia (ICBC) operates a universal compulsory vehicle insurance plan and maintains databases that include personal information on everyone in the province who holds a driver’s licence or is a registered owner of a motor vehicle. That information includes names, addresses, vehicle descriptions, licence plate numbers, and claims histories. An employee accessed the information of 78 of ICBC’s customers and sold the information of at least 45 of those customers to criminals. ICBC subsequently notified the 78 customers that their information was wrongly accessed. The houses and vehicles belonging to 13 of those individuals were targeted in arson and shooting attacks.
Following the criminal proceedings, a class action for breach of privacy under section 1 of the Privacy Act, RSBC 1996, c 373, was certified on behalf of all 78 individuals whose personal information was improperly accessed and those who live with them, including but not limited to those who were actually victimized in the attacks. After the class action was certified, class counsel brought a summary trial application to determine certified common issues, including whether the employee breached the Privacy Act, whether ICBC was vicariously liable for the employee’s actions, and whether class members were entitled to damages, including punitive damages. The Court was not asked to consider the amount of damages.
Summary trial suitability
The Court first considered whether the class action was suitable for determination at a summary trial, and it concluded that it was. In its determination, the Court considered the common issues that the Court would be required to consider and what facts were actually in issue.”
In regards to the privacy breach under the Privacy Act, the Court must assess whether the plaintiff was entitled to privacy in the circumstances and, if so, whether the defendant breached the plaintiff’s privacy. The Court balances the plaintiff’s reasonable expectation of privacy against any lawful interest the defendant may have. Here, the Court determined the employee had breached the Class Members’ privacy under the Privacy Act by accessing their personal information wilfully and without a claim of right from ICBC databases.
In this case, the Court found that the contact information and all of the other personal information were illegally accessed and disclosed by the employee resulting in the breach of privacy. Further, the employee’s improper access to the information alone was sufficient for finding a breach of privacy, regardless of the fact that she had later passed the information to a criminal. This was in part because providing personal information to ICBC (as a universal compulsory motor vehicle insurer) was truly not voluntary, in part due to internal ICBC policies which required employees to keep personal information private, and in part from the conclusion that a reasonable person providing that information to ICBC would expect that it would be used only for the purposes related to the operation of the insurance plan or vehicle registration. As such, the improper access breached the reasonable expectation of ICBC customers.
Although ICBC had notified 78 customers of a breach because their information had been improperly accessed, it attempted to limit its liability to the smaller subset of 45 class members whose information had admittedly been passed on to the criminals. The court refused to allow ICBC to do so. Having notified all 78 customers that their information was wrongly accessed, it could not then require any of the 78 to prove a breach.
On the issue of vicarious liability, the Court found that ICBC was vicariously liable for the rogue employee’s actions. ICBC had clearly created the risk of wrongdoing by providing access to customers’ personal information. Still, despite internal policies forbidding the use of that information for purposes other than those related to their employment, ICBC had not established any monitoring or enforcement mechanisms to prevent or catch misuse.
The Court considered class members’ entitlement to non-pecuniary and pecuniary damages, and whether ICBC should pay punitive damages.
Non-pecuniary damages are losses that cannot be easily assigned a dollar value, such as pain and suffering. The Court found that all class members were entitled to non-pecuniary damages. The question of how much they were entitled to was not before the Court, but it noted that the amount, for at least some class members, may be nominal.
Pecuniary damages are losses with an easily quantifiable dollar value, such as damage to homes or vehicles. The Court had not been asked to determine the amount of pecuniary damages but did conclude that individual class members may be entitled to them and would have to prove them in the future.
Lastly, ICBC was not found liable for punitive damages as it did not show malicious, arbitrary, or highly reprehensible conduct such as ignoring customer privacy completely or continuing to employ the employee after its privacy violations.